package com.yn.xr.common.filter;

import java.io.IOException;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.List;
import java.util.Map;
import java.util.Set;

import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

import com.yn.xr.common.util.StringUtils;


public class SqlInjectFilter implements Filter
{
	
	 private static List<String> invalidsql = new ArrayList<String>(); 
     private static String error = null; 
     private static boolean debug = false; 
      
     public void doFilter(ServletRequest req, ServletResponse res, FilterChain fc) throws IOException, ServletException { 
         
         HttpServletRequest request = (HttpServletRequest)req; 
         HttpServletResponse response = (HttpServletResponse)res; 
         Map<String, String> params = request.getParameterMap(); 
         Set<String> keys = params.keySet();
         String uri = request.getRequestURI();
 		
         
         //如果是推送数据就直接过
         if(uri.contains("/userAction_pushData.action") || uri.contains("/userAction_rsaPushData.action")){
        	 fc.doFilter(req, res);
        	 return;
         }
         
         for(String key : keys){
             String value = request.getParameter(key); 
             if(debug){ 
                 System.out.println("process params <key, value>: <"+key+", "+value+">"); 
             } 
             if(StringUtils.isEmpty(value) || value.length() < 32) continue;
             for(String word : invalidsql){ 
                 if(word.equalsIgnoreCase(value) || value.contains(word)){ 
                     if(value.contains("<")){ 
                         value = value.replace("<", "<"); 
                     } 
                     if(value.contains(">")){ 
                         value = value.replace(">", ">"); 
                     } 
                     request.getSession().setAttribute("sqlInjectError", "the request parameter \""+value+"\" contains keyword: \""+word+"\""); 
                     response.sendRedirect(request.getContextPath()+error); 
                     return; 
                 }
             } 
         } 
         fc.doFilter(req, res); 
     }
     
     public void init(FilterConfig conf) throws ServletException{
         String sql = conf.getInitParameter("invalidsql"); 
         String errorpage = conf.getInitParameter("error"); 
         String de = conf.getInitParameter("debug");
         
         if(errorpage != null){
             error = errorpage;
         }
         
         if(sql != null){
             invalidsql = Arrays.asList(sql.split(" "));
         }
         
         if(de != null && Boolean.parseBoolean(de)){
             debug = true;
             System.out.println("PreventSQLInject Filter staring...");
             System.out.println("invalid words as fllows (split with blank):");
             for(String s : invalidsql){
                 System.out.print(s+" ");
             }
             System.out.println();
             System.out.println("error page is:"+error);
             System.out.println(); 
         }
     }
     
     public void destroy() {}
	
}
